diff options
Diffstat (limited to 'pkgs/servers')
-rw-r--r-- | pkgs/servers/mail/dovecot/2.0.nix | 20 | ||||
-rw-r--r-- | pkgs/servers/samba/default.nix | 10 | ||||
-rw-r--r-- | pkgs/servers/samba/readlink.patch | 217 |
3 files changed, 244 insertions, 3 deletions
diff --git a/pkgs/servers/mail/dovecot/2.0.nix b/pkgs/servers/mail/dovecot/2.0.nix new file mode 100644 index 000000000000..a2278533dad8 --- /dev/null +++ b/pkgs/servers/mail/dovecot/2.0.nix @@ -0,0 +1,20 @@ +{stdenv, fetchurl, openssl, pam}: + +stdenv.mkDerivation { + name = "dovecot-2.0.15"; + + buildInputs = [openssl pam]; + + src = fetchurl { + url = http://dovecot.org/releases/2.0/dovecot-2.0.15.tar.gz; + sha256 = "03byp6alxxk65qfjjnqp6kcncs5cdiqgskx90nk9kcnynl1h6r33"; + }; + + meta = { + homepage = http://dovecot.org/; + description = "Open source IMAP and POP3 email server written with security primarily in mind"; + maintainers = with stdenv.lib.maintainers; [viric]; + platforms = with stdenv.lib.platforms; linux; + }; + +} diff --git a/pkgs/servers/samba/default.nix b/pkgs/servers/samba/default.nix index c76c52e5fcc4..a6ade7400e86 100644 --- a/pkgs/servers/samba/default.nix +++ b/pkgs/servers/samba/default.nix @@ -21,13 +21,18 @@ let in stdenv.mkDerivation rec { - name = "samba-3.6.0"; + name = "samba-3.6.1"; src = fetchurl { url = "http://us3.samba.org/samba/ftp/stable/${name}.tar.gz"; - sha256 = "0gzm09l75i95iibcxykc2h2m9haqx70jp1bpis1mhmvqwillbhg1"; + sha256 = "0r6mbghja357xhpada5djg0gpczi50f18ap53hdn8b7y0amz5c65"; }; + patches = + [ # Fix for https://bugzilla.samba.org/show_bug.cgi?id=8541. + ./readlink.patch + ]; + buildInputs = [ readline pam openldap popt iniparser libunwind fam acl cups ] ++ stdenv.lib.optional useKerberos kerberos; @@ -37,7 +42,6 @@ stdenv.mkDerivation rec { configureFlags = '' --with-pam - --with-cifsmount --with-aio-support --with-pam_smbpass --disable-swat diff --git a/pkgs/servers/samba/readlink.patch b/pkgs/servers/samba/readlink.patch new file mode 100644 index 000000000000..84c0e021b1c6 --- /dev/null +++ b/pkgs/servers/samba/readlink.patch @@ -0,0 +1,217 @@ +diff --git a/source3/include/smb.h b/source3/include/smb.h +index 3a64af7..549ebb2 100644 +--- a/source3/include/smb.h ++++ b/source3/include/smb.h +@@ -1714,6 +1714,7 @@ struct smb_file_time { + #define UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 + #define UCF_COND_ALLOW_WCARD_LCOMP 0x00000004 + #define UCF_POSIX_PATHNAMES 0x00000008 ++#define UCF_UNIX_NAME_LOOKUP 0x00000010 + + /* + * smb_filename +diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c +index 25301e6..b2ed239 100644 +--- a/source3/smbd/filename.c ++++ b/source3/smbd/filename.c +@@ -383,7 +383,7 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, + + if((!conn->case_sensitive || !(conn->fs_capabilities & + FILE_CASE_SENSITIVE_SEARCH)) && +- stat_cache_lookup(conn, &smb_fname->base_name, &dirpath, &start, ++ stat_cache_lookup(conn, posix_pathnames, &smb_fname->base_name, &dirpath, &start, + &smb_fname->st)) { + goto done; + } +@@ -977,26 +977,39 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, + } + + /**************************************************************************** +- Check a filename - possibly calling check_reduced_name. +- This is called by every routine before it allows an operation on a filename. +- It does any final confirmation necessary to ensure that the filename is +- a valid one for the user to access. ++ Ensure a path is not vetod. + ****************************************************************************/ + +-NTSTATUS check_name(connection_struct *conn, const char *name) ++NTSTATUS check_veto_path(connection_struct *conn, const char *name) + { + if (IS_VETO_PATH(conn, name)) { + /* Is it not dot or dot dot. */ +- if (!((name[0] == '.') && (!name[1] || +- (name[1] == '.' && !name[2])))) { +- DEBUG(5,("check_name: file path name %s vetoed\n", ++ if (!(ISDOT(name) || ISDOTDOT(name))) { ++ DEBUG(5,("check_veto_path: file path name %s vetoed\n", + name)); + return map_nt_error_from_unix(ENOENT); + } + } ++ return NT_STATUS_OK; ++} ++ ++/**************************************************************************** ++ Check a filename - possibly calling check_reduced_name. ++ This is called by every routine before it allows an operation on a filename. ++ It does any final confirmation necessary to ensure that the filename is ++ a valid one for the user to access. ++****************************************************************************/ ++ ++NTSTATUS check_name(connection_struct *conn, const char *name) ++{ ++ NTSTATUS status = check_veto_path(conn, name); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } + + if (!lp_widelinks(SNUM(conn)) || !lp_symlinks(SNUM(conn))) { +- NTSTATUS status = check_reduced_name(conn,name); ++ status = check_reduced_name(conn,name); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("check_name: name %s failed with %s\n",name, + nt_errstr(status))); +@@ -1314,6 +1327,12 @@ NTSTATUS filename_convert(TALLOC_CTX *ctx, + return status; + } + ++ if ((ucf_flags & UCF_UNIX_NAME_LOOKUP) && ++ VALID_STAT((*pp_smb_fname)->st) && ++ S_ISLNK((*pp_smb_fname)->st.st_ex_mode)) { ++ return check_veto_path(conn, (*pp_smb_fname)->base_name); ++ } ++ + status = check_name(conn, (*pp_smb_fname)->base_name); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3,("filename_convert: check_name failed " +diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h +index c455ffe..02b5e40 100644 +--- a/source3/smbd/proto.h ++++ b/source3/smbd/proto.h +@@ -336,6 +336,7 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, + const char *orig_path, + struct smb_filename **smb_fname, + uint32_t ucf_flags); ++NTSTATUS check_veto_path(connection_struct *conn, const char *name); + NTSTATUS check_name(connection_struct *conn, const char *name); + int get_real_filename(connection_struct *conn, const char *path, + const char *name, TALLOC_CTX *mem_ctx, +@@ -1037,6 +1038,7 @@ void stat_cache_add( const char *full_orig_name, + char *translated_path, + bool case_sensitive); + bool stat_cache_lookup(connection_struct *conn, ++ bool posix_paths, + char **pp_name, + char **pp_dirpath, + char **pp_start, +diff --git a/source3/smbd/statcache.c b/source3/smbd/statcache.c +index e2ccc74..e910982 100644 +--- a/source3/smbd/statcache.c ++++ b/source3/smbd/statcache.c +@@ -150,6 +150,7 @@ void stat_cache_add( const char *full_orig_name, + * Look through the stat cache for an entry + * + * @param conn A connection struct to do the stat() with. ++ * @param posix_paths Whether to lookup using stat() or lstat() + * @param name The path we are attempting to cache, modified by this routine + * to be correct as far as the cache can tell us. We assume that + * it is a talloc'ed string from top of stack, we free it if +@@ -166,6 +167,7 @@ void stat_cache_add( const char *full_orig_name, + */ + + bool stat_cache_lookup(connection_struct *conn, ++ bool posix_paths, + char **pp_name, + char **pp_dirpath, + char **pp_start, +@@ -181,6 +183,7 @@ bool stat_cache_lookup(connection_struct *conn, + char *name; + TALLOC_CTX *ctx = talloc_tos(); + struct smb_filename smb_fname; ++ int ret; + + *pp_dirpath = NULL; + *pp_start = *pp_name; +@@ -283,7 +286,13 @@ bool stat_cache_lookup(connection_struct *conn, + ZERO_STRUCT(smb_fname); + smb_fname.base_name = translated_path; + +- if (SMB_VFS_STAT(conn, &smb_fname) != 0) { ++ if (posix_paths) { ++ ret = SMB_VFS_LSTAT(conn, &smb_fname); ++ } else { ++ ret = SMB_VFS_STAT(conn, &smb_fname); ++ } ++ ++ if (ret != 0) { + /* Discard this entry - it doesn't exist in the filesystem. */ + memcache_delete(smbd_memcache(), STAT_CACHE, + data_blob_const(chk_name, strlen(chk_name))); +diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c +index 0931fff..129ab01 100644 +--- a/source3/smbd/trans2.c ++++ b/source3/smbd/trans2.c +@@ -2271,6 +2271,7 @@ static void call_trans2findfirst(connection_struct *conn, + TALLOC_CTX *ctx = talloc_tos(); + struct dptr_struct *dirptr = NULL; + struct smbd_server_connection *sconn = req->sconn; ++ uint32_t ucf_flags = (UCF_SAVE_LCOMP | UCF_ALWAYS_ALLOW_WCARD_LCOMP); + + if (total_params < 13) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); +@@ -2314,6 +2315,7 @@ close_if_end = %d requires_resume_key = %d level = 0x%x, max_data_bytes = %d\n", + reply_nterror(req, NT_STATUS_INVALID_LEVEL); + goto out; + } ++ ucf_flags |= UCF_UNIX_NAME_LOOKUP; + break; + default: + reply_nterror(req, NT_STATUS_INVALID_LEVEL); +@@ -2331,8 +2333,7 @@ close_if_end = %d requires_resume_key = %d level = 0x%x, max_data_bytes = %d\n", + ntstatus = filename_convert(ctx, conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + directory, +- (UCF_SAVE_LCOMP | +- UCF_ALWAYS_ALLOW_WCARD_LCOMP), ++ ucf_flags, + &mask_contains_wcard, + &smb_dname); + if (!NT_STATUS_IS_OK(ntstatus)) { +@@ -5103,6 +5104,7 @@ static void call_trans2qfilepathinfo(connection_struct *conn, + } else { + uint32_t name_hash; + char *fname = NULL; ++ uint32_t ucf_flags = 0; + + /* qpathinfo */ + if (total_params < 7) { +@@ -5114,9 +5116,16 @@ static void call_trans2qfilepathinfo(connection_struct *conn, + + DEBUG(3,("call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = %d\n", info_level)); + +- if (INFO_LEVEL_IS_UNIX(info_level) && !lp_unix_extensions()) { +- reply_nterror(req, NT_STATUS_INVALID_LEVEL); +- return; ++ if (INFO_LEVEL_IS_UNIX(info_level)) { ++ if (!lp_unix_extensions()) { ++ reply_nterror(req, NT_STATUS_INVALID_LEVEL); ++ return; ++ } ++ if (info_level == SMB_QUERY_FILE_UNIX_BASIC || ++ info_level == SMB_QUERY_FILE_UNIX_INFO2 || ++ info_level == SMB_QUERY_FILE_UNIX_LINK) { ++ ucf_flags |= UCF_UNIX_NAME_LOOKUP; ++ } + } + + srvstr_get_path(req, params, req->flags2, &fname, ¶ms[6], +@@ -5131,7 +5140,7 @@ static void call_trans2qfilepathinfo(connection_struct *conn, + conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- 0, ++ ucf_flags, + NULL, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { |